ASA different groups for different interfaces

Unanswered Question
Feb 16th, 2007

Hi all,

I've configured an ASA5510 for vpn access both from the internet and from a wireless lan on the same device.

However I've got two different crypto maps, each one applied to a different interface of the asa, and two tunnel groups for the two groups of users.

Now I was looking for a way to link each tunnel group to a specific crypto map or interface.

In other words, I want to be sure that a user of the wireless vpn cannot get corporate access through the internet simply changing the ip address on the profile and installing it on the home computer, that is exactly what it could happen now.

Do I need to split the profiles on two different devices or there is a way that I cannot see?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
ggilbert Fri, 02/16/2007 - 10:45


If the user changes the .pcf file on the VPN client to the different address, then yes, they can connect to the other interface without any problems.

You cannot tie a tunnel-group to an interface.

But you can do this.

Create two different group-policies and assign them to the tunnel-group or to the user.

Now that users can only access with the policy that he is tied to.

You can also specify a filter in the group policy which gives granular access to which internal network can access which VPN client pool.

Rate it, if this helps.



Massimo Baschieri Fri, 02/16/2007 - 15:26

Hi Gilbert,

tnx for your reply.

I've already taken the measures you described, but I need to go further.

If the only alternative I've got is to dedicate an asa to each application I'll go that way.

Tnx again,


ggilbert Mon, 02/19/2007 - 05:52


You do not have to dedicate two ASA's for this reason.

You can pass down user based ACL from the ACS server for the particular user connecting.

So, that should help you out.



Rate this post, if it helps.

Massimo Baschieri Mon, 02/19/2007 - 11:01


I'm a little confused, are the acl's bindable to a specific interface or tunnel group?

I want to completely avoid some wireless users to connect from home, fom some I want them to connect with much less privileges than those they have at the work place, can I obtain this with acl's?



ggilbert Tue, 02/20/2007 - 07:02


I re-read your problem and my answers to you.

So, in jist you do not want the users of wireless to change the IP address and connect to the ASA and access your corporate network, is that correct.

You have two options.

a. Bind the user to a group-policy and allow access to specified resources using vpn-filter

This is on the ASA itself.

b. user downloadable ACL for user authentication through a RADIUS ACS server so that the acl can provide what access the user gets.

Hope this helps. Rate this post.!!



Massimo Baschieri Tue, 02/20/2007 - 07:43


Maybe I'm missing something....I've already binded the users to their group policy, but if I cannot statically bind the policy itself (or the tunnel group) to an interface this is going to be uneffective, since all the policies are applied dinamically to any interface where the connection comes in (or permanently to all the interfaces where a dynamic crypto map is in place, don't know).

The same applies, for my knowledge, to dowloadable acl, which also works at the user level without any knoledge of the interface the users comes in, this ends up to grant the same rights to the users regarding to the interface they are coming in.

Am I right?



ggilbert Fri, 02/23/2007 - 08:03

Max -

Maybe we are not getting something through, let me explain..

Lets say - you have two networks,

10.10.10.x/24 and 20.20.20.x/24 inside of the ASA.

The wireless users are connecting to an IP add to a tunnel group- wireless and group-policy wireless group. And you can configure the user on the ASA for that group-policy wireless group. You can also configure the "group-lock" feature which puts the user in the group you configured for and if he came in on a different group - it will get rejected.

In addition to that you can configure vpn-filter for the particular group policy and say which network you want them access to.

Now, if the user comes into the ASA to an IP which is on the internet, lets say and uses his username which is tied to a group wireless and coming in on a tunnel-group lets say internet, then the authentication is going to fail, because of the group-lock feature and the policy is tied to a specific tunnel-group.

Also, if the filter is applied to the group-policy then only access to that network is permitted.

Hope this explains.



Please rate this post!!

Massimo Baschieri Fri, 02/23/2007 - 10:46


you are very kind and maybe I'n not that clear.

The point is they doesn't need to come in on a different group in order to get access from the internet, by default when you create a tunnel group on the asa this group is active on all interfaces configured with a crypto map, so users need simply to change the ip on their wireless lan profile to that of the public interface of the asa in order to connect from the internet, I've tried by myself.

What I'm looking for is a way to change this behaviour, in other words to bind a tunnel group to an interface or a crypto map.

Do I miss something?



ggilbert Fri, 02/23/2007 - 12:59

Max -

Alright - How about you modify the profile so that they cant change the IP address on the client side. Just "!" infront of the IP address on the profile of a VPN client (on the PCF file) would make them not to change the profile.

Will that work?




This Discussion